Imprint

Self-Hosted WordPress and GDPR compliance

So I started this blog after being a long time “Google+ only” publisher, and now GDPR is coming.

I have looked into making this wordpress instance GDPR compliance, but it’s no fun. The webfonts are easy, but “no more Youtube embeds without a consent orgy” is no fun, and losing the Google/Facebook/Twitter SSO integration will basically lose all mobile users (80% or so of all readers).

The easiest way to get GDPR compliance is to move back to Google+ only, or to move this blog to wordpress.com or to medium.com.

What migration target do you prefer (running a self-hosted instance is not an option for me after May, 25)?

Yes, at the moment a completely silo’ed solution such as medium.com or Google plus looks most attractive. That way I can publish stuff without offering a site, I am just a stream on a larger site. I wouldn’t have to deal with any of this stuff that way, and could focus on content.

The big question is: what is a “private page”? IANAL, but I tend to the opinion that a private site is only accessible to family and friends. This is, it is password protected.

On my blog, I have removed the comments, disabled all cookies, turned off the access log, made sure nothing (like webfonts) is loaded from CDNs. Still I need to think about GDPR because I can receive e-mails (I have to because of German laws), which is again processing of personal data.

I’m still indecisive. Are those GDPR alarmists just scaremongers, and my blog is okay now and everything is going to be fine? Or should I better shut down my webserver before May 25th and wait for some months until the dust has settled?

The GDPR doesn’t differentiate between private and public. It differentiates between businesses/organisations and personal activities. See recital 18:

“This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.”

WordPress / blogs are one thing. What if you run your own root/virtual server which handles some nextcloud or email – even if you’re the only person using it. If you send or receive mail, it will for sure contain personal data. What now? I’m not running any business, so is this “household use”? But running a mailserver is certainly not “common household use” in terms of the average user.

I still don’t get it. I have a blog. It loads no third party assets from anywhere. I don’t store cookies anywhere (because what even for). I don’t have comments (because they only make you sad or angry). The access logs don’t store full ip addresses. So where, pray tell, is the problem supposed to be? What do you need any of that third party shit for anyway?

Hi Kristian,
on my side, I do not consider a private blog without any commercial interest as being in the main scope of GDPR.
GDPR applicability / main focus:
1/ Commercial organisations as well as non commercial organisations computing large collection of private data.
2/ GDPR applies – based on the above scope – as soon as private data of EU citizen are computed; private data = data making possible to identify the “human behind the data”.

As I know, a WordPress “GDPR plugin” is available. In all cases, the best approach would be to avoid the use Google Fonts and Google Analytics (as well as equivalent commercial services).

In your specific case, I would not consider to avoid self hosting or to disable comments. There are some good tutorials for GDPR implementation (including released by BSI) and it is valuable to take a look on them.
Schöne Grüsse und viel Erfolg !